Spotlight Feature Articles CYBER SECURITY | Page 2

CYBER SECURITY With several large industrial firms still reeling from recent cyber attacks, miners need to protect what is becoming an increasingly large pool of data, processes and autonomous equipment. Dan Gleeson finds out how they should do this Protectionist measures yber security was propelled up the agenda in 2017 when the WannaCry, NotPetya and Triton incidents infected the systems of many unprepared industrial companies. These three events showed that a company doesn’t have to constantly be in the media spotlight to become the subject of an attack; all they need to be is digitally connected. Shipping firm Maersk, pharmaceutical company Merck and auto manufacturer Renault were just some of the victims. These incidents have been a wake-up call for the mining industry, according to Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division, ABB. “Many management boards now see the need to address the cyber-security risk to their industrial operations. After WannaCry, NotPetya and Triton, the evidence that such incidents can affect industrial operations is publicly documented now with practical examples and high impacts – ignoring the risk could be interpreted as negligence,” he told IM. Even before this, mining companies had not been immune to cyber events. In 2016, Goldcorp was the subject of a data breach by anonymous hackers who posted large amounts of the miner’s private information online, while all the way back in 2014, undersea mining hopeful Nautilus Minerals became the victim of a scam. Michael Rundus, Global Mining & Metals Security Leader for EY, said the firm’s recent Global Information Security Survey identified that 54% of mining companies had experienced a “significant” cyber incident in the past 12 months. The indications are mining companies have reacted to these and other events, with Rundus saying they had been investing in protective measures of late. “Our recent Global Information Security Survey revealed that 53% of energy and resources organisations have increased their spend on cyber security over the last 12 months,” he told IM. There is a ‘but’. C International Mining | JANUARY 2019 “While budgets are increasing, they are not currently sufficient to effectively manage the increasing risk, particularly to mission-critical operational technology. Indeed, as mining and metals companies continue to move into the digital age, budgets will certainly need to be increased to manage the growing threat,” he said. Paul Zonneveld, Global Energy Resources & Industrials Risk Advisory Leader for Deloitte, agreed with this assessment. “It is not that (cyber security) isn’t recieiving any investment, however the pace of investment is not at the same level as what is going into operational technology,” he told IM. Joe Carr, Mining Innovation Director for Inmarsat, the owner and operator of a global satellite network, said companies are struggling to know the most effective way to shield themselves from such attacks. “We found [in our own research] that 64% of mining businesses reported that the risk of external cyber attacks was the biggest security challenge in their industrial Internet of Things (IoT) deployments, and that 70% of organisations require additional staff with cyber security skills – higher than any other discipline,” he told IM. This imbalanced equation and lack of understanding could prove problematic for mining companies going forward. While they may appease concerned investors that have witnessed cyber attacks by saying they, at least, have some protective measures in place, they may be becoming a larger target in the process of transitioning to more digital and autonomous solutions on their mine sites. Investment rationale In a world where every investment must be justified from a financial standpoint, how can companies ensure they are protected from these cyber risks? Zonneveld said: “You need to ask: what are you trying to accomplish? Which technologies are you implementing? And, what could the threats be to these technologies? Inmarsat’s research showed 64%of mining businesses reported that the risk of external cyber attacks was the biggest security challenge in their industrial Internet of Things deployments “For example, if you are designing automation capabilities to remove drivers from trucks, the security team should ask themselves, ‘what is the consequence if the communication between the control centre and the truck is intercepted? Could the truck be shut down? Could an external party take control.’ Based on this, security capabilities are built into the design, whether that is authentication, monitoring, malware detection, etc.” One of the keys to warding off cyber attacks is around the timing of the protective measures to be employed. “Many of the counter measures, which include, preventive, detective and responsive- type controls, are not that difficult to implement but they are very difficult to retrofit. It's all about inplementing them at the right time,” Zonneveld said. “For example, when building an office tower, a potential threat could be that the office tower could catch fire. As a preventative measure, fire suppression systems are built-in throughout the structure to make sure that if this happens, the fire suppression system can kick in quickly. If this counter measure is not built-in when the building is being constructed, it’s very difficult to retrofit it once the building has been completed.” EY’s Rundus admits there is no “one-size fits all” approach to applying security measures for cyber attacks. “A general rule is that the greater the ‘attack surface’, the greater the likelihood or susceptibility,” he said. “Understanding the cyber threat landscape is the foundation step in the change required to improve cyber maturity.” This is where a cyber security framework to identify critical gaps, threats and actions required to reduce risk is of great use, according to Rundus. “We believe that irrespective of the framework adopted, a risk-based approach should be taken, which is fit for purpose, adopts a balance between ‘protect’ and ‘react’, and meets the operational requirements of an organisation,” he said. Inmarsat’s Carr said: “From an Industrial IoT perspective, the first step is to find a trusted partner who will manage your connectivity as a service, and who considers security at every point that your data touches.” He continued: “There are different ways to harden an Industrial IoT network, which include: n “Secure management access (so that only